PDA

View Full Version : Stopping SB2 revealing my WPA key



max.spicer
2005-07-14, 14:46
It's just occurred to me that anyone with access to my SB2 and its remote can easily discover the WPA key for my wireless network. Whilst I might be quite happy for my neighbours to come round and pick their own music on my SB2, I'd rather they weren't then able to go home and connect to my wireless network! This is especially bad as I would guess that a lot of people use the same password for a lot of other things. Couldn't the SB2's firmware to be changed to mask the password once it's been entered?

Peter van Cooten
2005-07-15, 11:14
You are right, offcourse. Extra security measure is to limit access to your
network to certain MAC-addresses only (your own hardware). Most wireless
access points have this feature.

Bye
Peter

-----Original Message-----
From: max.spicer [mailto:max.spicer.1s6j1b (AT) no-mx (DOT) forums.slimdevices.com]
Sent: donderdag 14 juli 2005 23:47
To: discuss (AT) lists (DOT) slimdevices.com
Subject: [slim] Stopping SB2 revealing my WPA key


It's just occurred to me that anyone with access to my SB2 and its remote
can easily discover the WPA key for my wireless network. Whilst I might be
quite happy for my neighbours to come round and pick their own music on my
SB2, I'd rather they weren't then able to go home and connect to my wireless
network! This is especially bad as I would guess that a lot of people use
the same password for a lot of other things. Couldn't the SB2's firmware to
be changed to mask the password once it's been entered?


--
max.spicer

The wild things roared their terrible roars and gnashed their terrible teeth
and rolled their terrible eyes and showed their terrible claws but Max
stepped into his private boat and waved good-bye

water
2005-07-15, 11:55
i consider this a design error that should be correct asap.

the real risk in the case might not be that big, but a password should never be visible in plain text like this.

is it possible to control the access to the setup menu on the sb2?
if so that's should be the way to go until slimdevices fixes the desgin flaw.

:water

JJZolx
2005-07-15, 11:58
It's just occurred to me that anyone with access to my SB2 and its remote can easily discover the WPA key for my wireless network. Whilst I might be quite happy for my neighbours to come round and pick their own music on my SB2, I'd rather they weren't then able to go home and connect to my wireless network! This is especially bad as I would guess that a lot of people use the same password for a lot of other things. Couldn't the SB2's firmware to be changed to mask the password once it's been entered?

Man, what kind of neighbors do you have? :-) Do you also have to keep an eye on the silverware while they're over playing music on your stereo?

It's never a good thing to reuse passwords. On a web site that I maintain, the old programmer kept user passwords in plaintext in the database. Many of the people on the site have Hotmail or Yahoo email accounts. Sure enough, when I went to either site and logged in using the email and password from the database I logged right in to about 1/2 of those accounts. Very scary.

jackaninny
2005-07-15, 16:17
displaying ANY passwords/passphrase/keys in plain text is bad design (no offense to slim as i think this was just a simple oversight). as designers, coders, and admins we try to pound basic and simple security into end-users heads and to ignore this particular oversight just contributes to overall relaxed security practices. i know most people are not designing spy satellites for the nsa but good design makes a product standout.

i hope this issue will find a resolution in upcoming revs of the slim software and firmware.

Mitch Harding
2005-07-15, 17:52
Has anyone opened a bug on this yet? That's the first step to getting
this fixed.

On 7/15/05, jackaninny <jackaninny.1s8hvb (AT) no-mx (DOT) forums.slimdevices.com> wrote:
>
> displaying ANY passwords/passphrase/keys in plain text is bad design (no
> offense to slim as i think this was just a simple oversight). as
> designers, coders, and admins we try to pound basic and simple security
> into end-users heads and to ignore this particular oversight just
> contributes to overall relaxed security practices. i know most people
> are not designing spy satellites for the nsa but good design makes a
> product standout.
>
> i hope this issue will find a resolution in upcoming revs of the slim
> software and firmware.
>
>
> --
> jackaninny
>

Dave D
2005-07-16, 04:37
displaying ANY passwords/passphrase/keys in plain text is bad design

I kind of like being able to see what I entered, vs. a bunch of asterisks, for example, but I understand your point. It might be nice then, to be able to enter a PIN which would make the WEP or WPA sensitive info be readable. No PIN entered and you'd get the standard asterisks.

max.spicer
2005-07-16, 07:24
Consider the neighbours hypothetical ones! It's still a valid point though. I often have friends come round and the first thing they do when seeing the SB2 (apart from drool) is to browse through all its features (prior to drooling more!). In this case, they could easily discover my WPA key unintentionally.

As for reusing passwords, it may not be a good idea but that unfortunately does not stop everyone from doing it!

Max


Man, what kind of neighbors do you have? :-) Do you also have to keep an eye on the silverware while they're over playing music on your stereo?

It's never a good thing to reuse passwords. On a web site that I maintain, the old programmer kept user passwords in plaintext in the database. Many of the people on the site have Hotmail or Yahoo email accounts. Sure enough, when I went to either site and logged in using the email and password from the database I logged right in to about 1/2 of those accounts. Very scary.

max.spicer
2005-07-16, 07:40
I have done now - it's Bug 1828.

Max


Has anyone opened a bug on this yet? That's the first step to getting
this fixed.